GroundWork Monitor Enterprise XML External Entity Injection And Command Injection Vulnerabilities
BID:58407
Info
GroundWork Monitor Enterprise XML External Entity Injection And Command Injection Vulnerabilities
| Bugtraq ID: | 58407 |
| Class: | Design Error |
| CVE: |
CVE-2013-3503 CVE-2013-3502 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 06 2013 12:00AM |
| Updated: | May 09 2013 12:42PM |
| Credit: | Johannes Greil, SEC Consult Vulnerability Lab |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
GroundWork Monitor Enterprise XML External Entity Injection And Command Injection Vulnerabilities
GroundWork Monitor Enterprise is prone to an XML External Entity injection vulnerability and a remote command-injection vulnerability.
Attackers can exploit these issues to execute arbitrary commands and obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
GroundWork Monitor Enterprise 6.7.0 is vulnerable; other versions may also be affected.
GroundWork Monitor Enterprise is prone to an XML External Entity injection vulnerability and a remote command-injection vulnerability.
Attackers can exploit these issues to execute arbitrary commands and obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
GroundWork Monitor Enterprise 6.7.0 is vulnerable; other versions may also be affected.
Exploit / POC
GroundWork Monitor Enterprise XML External Entity Injection And Command Injection Vulnerabilities
Attackers can exploit these issues using readily available tools or a browser.
The following exploit code is available:
Attackers can exploit these issues using readily available tools or a browser.
The following exploit code is available:
Solution / Fix
GroundWork Monitor Enterprise XML External Entity Injection And Command Injection Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
GroundWork Monitor Enterprise XML External Entity Injection And Command Injection Vulnerabilities
References:
References: